Is it possible for JIT Groups to work with Workforce Identity?

[cajunm]

I'm working on a buildout that has some specific requirements where I'll have project folders for various customers, each needing different levels of access to only their projects. Each customer has their own external domain/directory where users are assigned to groups with different levels of access. My goal was to possibly leverage JIT Groups so that a customer would login through their external IDP into GCP with Workforce Identity, they would then be able to request roles that their account would have access to and perform whatever they need to do.

Is it possible for JIT Groups to work with Workforce Identity so identities from external IDPs and domains can login?

Thank you

[jpassing]

No, JIT Groups doesn't work with workforce identity.

JIT Groups manages Cloud Identity groups. It creates groups, adds/removes memberships as necessary, and can grant groups access to Google Cloud resources. W.r.t. workforce identity, the challenge is:

• Cloud Identity groups don't support workforce identity principals. It's not possible to add a workforce identity principal to a Cloud Identity group, and I don't expect that to ever become possible because Cloud Identity groups are a concept that's specific to Google identities and entirely unrelated to workforce identity.
• There's no equivalent "roster" construct for workforce identity principals. With workforce identity, the idea is that all information that's relevant for making authorization decisions is exchanged during single sign-on, and that includes a user's group memberships (google.groups attribute mapping). Once a user's sign-on has completed, it's no longer possible to "add the user to another group" and have it take effect in the same session.

My goal was to possibly leverage JIT Groups so that a customer would login through their external IDP into GCP with Workforce Identity, they would then be able to request roles that their account would have access to and perform whatever they need to do.

I understand the use case, but I'm not sure such a model is viable. I'd see three options:

1. You can use workforce identity federation, with one pool per customer (to prevent clashes). But group memberships have to be managed in the external IdP (and brought cross during SSO).
2. You can use Cloud Identity, using one SSO profile per customer (or better, one account per customer). You can then use groups (with or without JIT Groups) to manage access to resources. The main caveat here is that user accounts need to be provisioned ahead of time into Cloud Identity.
3. You can use a (third-party) federating IdP that (a) integrates with all the customer IdPs and (b) lets you manage access groups. Note that I don't have any specific vendor in mind here.

-Johannes